Full Report
No rest for project maintainers battered by slew of vulnerability disclosures The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are exploiting a max-severity remote code execution (RCE) vulnerability in workflow automation platform n8n.…
Analysis Summary
# Vulnerability: Multiple RCE Flaws in n8n Expression Engine
## CVE Details
- **CVE ID:** CVE-2025-68613 (Primary focus), CVE-2026-21858, CVE-2026-25049
- **CVSS Score:** 9.9 (Critical) for CVE-2025-68613; 10.0 (Critical) for CVE-2026-21858
- **CWE:** Improper Input Validation / Expression Language Injection
## Affected Systems
- **Products:** n8n (Workflow Automation Platform)
- **Versions:** Versions prior to v1.122.0 are confirmed vulnerable to CVE-2025-68613.
- **Configurations:** Systems utilizing n8n’s expression evaluation engine; specifically instances where users have permissions to create or modify workflows.
## Vulnerability Description
The primary vulnerability (CVE-2025-68613) exists within n8n’s expression evaluation engine. Authenticated attackers can inject malicious payloads into expressions that are executed by the platform without sufficient validation. This allows for Remote Code Execution (RCE) on the host system. Subsequent flaws (CVE-2026-25049) identified additional bypasses in the same engine, while CVE-2026-21858 involves improper handling of webhooks allowing for unauthenticated RCE.
## Exploitation
- **Status:** **Exploited in the wild.** CISA added CVE-2025-68613 to the Known Exploited Vulnerabilities (KEV) catalog in March 2026.
- **Complexity:** Low (for CVE-2025-68613, requiring only low-privilege access).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to sensitive data, secrets, and environment variables).
- **Integrity:** High (Ability to modify workflows and inject malicious code into supply chains).
- **Availability:** High (Full host compromise and potential system takeover).
## Remediation
### Patches
- **CVE-2025-68613:** Update n8n to **v1.122.0** or later.
- **Subsequent Flaws:** Users are strongly advised to update to the latest available version of n8n to address the follow-up vulnerabilities (CVE-2026-21858 and CVE-2026-25049).
### Workarounds
- No specific software workarounds are provided in the article; immediate patching is the recommended course of action.
- Restrict access to the n8n dashboard and ensure only trusted users have "create/edit" workflow permissions.
## Detection
- **Indicators of Compromise:** Monitor for unusual system-level operations or unintended command executions originating from the n8n host process. Check logs for suspicious or heavily nested payloads within expressions.
- **Detection Methods and Tools:** Audit n8n user accounts for unauthorized low-privilege users. Review CISA’s KEV catalog updates for associated IP addresses or specific exploit patterns as they become available.
## References
- n8n Security Advisory (CVE-2025-68613): hxxps[://]github[.]com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- Resecurity Research: hxxp[://]cve-2025-68613/
- CISA News Alert: hxxps[://]www[.]cisa[.]gov/news-events/alerts/2026/03/11/cisa-adds-one-known-exploited-vulnerability-catalog